US6225888B1 - Authentication between communicating parties in a telecommunications network - Google Patents

Authentication between communicating parties in a telecommunications network Download PDF

Info

Publication number
US6225888B1
US6225888B1 US09/327,609 US32760999A US6225888B1 US 6225888 B1 US6225888 B1 US 6225888B1 US 32760999 A US32760999 A US 32760999A US 6225888 B1 US6225888 B1 US 6225888B1
Authority
US
United States
Prior art keywords
terminal equipment
network element
authentication
identifier
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
US09/327,609
Inventor
Jari Juopperi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Solutions and Networks Oy
Original Assignee
Nokia Telecommunications Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from PCT/FI1997/000765 external-priority patent/WO1998026538A1/en
Application filed by Nokia Telecommunications Oy filed Critical Nokia Telecommunications Oy
Assigned to NOKIA TELECOMMUNICATIONS OY reassignment NOKIA TELECOMMUNICATIONS OY ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: JUOPPERI, JARI
Application granted granted Critical
Publication of US6225888B1 publication Critical patent/US6225888B1/en
Assigned to NOKIA SIEMENS NETWORKS OY reassignment NOKIA SIEMENS NETWORKS OY ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: NOKIA CORPORATION
Assigned to NOKIA SOLUTIONS AND NETWORKS OY reassignment NOKIA SOLUTIONS AND NETWORKS OY CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: NOKIA SIEMENS NETWORKS OY
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/75Temporary identity

Definitions

  • This invention concerns origination of data transmission in a multiple access network, wherein the terminal equipment requests a channel for itself from the network using a common access channel intended for all terminal equipment and wherein in response to the request the network on a common access grant channel intended for all terminal equipment makes known that channel to the terminal equipment on which information transmission proper will take place.
  • MAC layer Medium Access Control Sublayer
  • a channel is assigned on which all mobile stations when forming mobile originated calls send a request for a traffic channel from the network.
  • the request which is relayed over the radio path to the base station and from this along a cable to the base station controller, contains the mobile station's identifier IMSI, so that the base station controller will know from whom the request has come.
  • IMSI mobile station's identifier
  • RACH Random Access Channel
  • the mobile station will try again after a moment until the request is received.
  • the network sends to the mobile stations acknowledgements of the requests on a channel to which all mobile stations are listening.
  • this channel is called Access Grant Channel (AGCH): the acknowledgement contains the mobile station's identifier, from which the mobile station will know that the message is intended for itself, and the number of the channel allocated by the network as a traffic channel.
  • AGCH Access Grant Channel
  • Access in accordance with the MAC protocol is also used in interactive cable TV systems, where a desired audiovisual service can be transferred to several recipients through a fixed network.
  • the physical transfer path may be a coaxial cable and/or an optical cable or a radio network or the distribution may take place through a satellite.
  • Head End is given to a central place where an incoming dispatch is divided over several physical signal paths, such as several optical fibers, by which the dispatch is taken closer to the consumers.
  • transmission may take place both in downlink and uplink directions in time slots which are numbered starting from zero and ending with some max number, after which numbering starts again.
  • the time slots 0, . . . , max form a frame.
  • such a channel may be used in the uplink direction where the access form is Aloha, whereby all subscribers may send requests in any time slot.
  • the network acknowledges a successful transmission by echo checking on a downlink channel.
  • only a certain time slot may alternatively be used for sending requests. This is a slotted Aloha access type. It is essential also in these systems for the terminal to include its identifiers in its access message, so that the Head End may know who sent the request.
  • the request message contains requester A's identifier.
  • the network element may perform authentication of the requester, and if the matter is OK, it will allocate a private channel T for the requestor and will send information about the channel either on the same common channel U or on another common return path channel D.
  • the information contains requester A's identifier.
  • A receives the message and begins communicating on the allocated channel T.
  • FIG. 2 shows exchange of messages used in network access in a known GSM mobile telephone system.
  • a mobile station wishes to form a call, it sends on a one-way (uplink direction) Random Access Channel (RACH) to the base station a Channel Request to have a Traffic Channel (TCH) at its disposal, step 211 .
  • the request contains a 5-bit random number, which first functions as the mobile station's identifier.
  • the base station receives, step 213 , and relays the request to the base station controller, which selects a free channel, activates it on the base station, step 212 , and then forms an Immediate Assignment, which the base station sends on a Paging and Access Grant Channel (PAGCH) to the mobile station, step 214 .
  • PAGCH Paging and Access Grant Channel
  • the assignment contains a description of the allocated channel, a preset timing value, the transmission power value to be used and the same 5-bit random number which was sent by the mobile station, and also the time slot number with which the base station had received the channel request. With this information the mobile station is able to distinguish the message intended for itself and will learn the allocated traffic channel, step 215 .
  • the mobile station then signals to the base station on the traffic channel the link layer initial message containing the SABM frame.
  • the mobile station states its identity IMSI (International Mobile Subscriber Identity) or its Temporary Mobile Subscriber Identity (TMSI), step 224 .
  • the base station receives the message, step 226 , and acknowledges it with a response message, the UA frame of which contains the identity of the mobile station, step 228 .
  • the mobile station compares its own identity with the received identity, step 223 , and if the identities are similar, it will know that the traffic channel is reserved for itself.
  • authentication is also performed on the principle that the network puts a question to the mobile station to which only the right mobile station will know the answer.
  • Authentication is based on an authentication algorithm A 3 and on a subscriber-specific authentication key K i .
  • the authentication center AuC sends a question to the mobile station which is a random number RAND.
  • the mobile station receives the RAND, transfers it to the SIM card, which performs the A 3 algorithm with its aid and with the aid of the subscriber-specific key K i in the card.
  • the Signed Result (SRES) is sent by the mobile station to the network.
  • Authentication center AuC compares the SRES value with the value which it has computed itself using the same A 3 algorithm, RAND and key K i .
  • the mobile station uses the received RAND and K i values also for computing a connection-specific encryption key Kc.
  • authentication center AuC performs the same algorithm with the same values, thus resulting in the same encryption key. Both store the key in memory and in addition the mobile station sends the key to authentication center AuC, which checks to make sure that both are using the same keys.
  • the mobile station has sent its own identity to the network before it is quite sure that the traffic channel is allocated to itself and to nobody else.
  • the network always performs the authentication. It is hereby possible for a third party to come between the identifying party and the one to be identified, to eavesdrop on the first messages and to put himself in the other party's place. This is possible especially if a part of the transmission path between A and B is a radio path, which is the case in mobile telephone networks, but likewise in fixed networks a third party may connect to the line and eavesdrop on the traffic. It is hereby possible for the third party to capture a channel request message sent by terminal equipment A and to interpret from this the request and, above all, A's identifier. It will then in one way or another eliminate terminal equipment A and take its place. It then receives the channel allocation message sent by the network element, connects to the channel pretending to be terminal equipment A and thus gains access to the network. There is no possibility for network element B to know that it is communicating with a third party instead of the genuine terminal equipment A.
  • network element B It is also possible for network element B to be the impostor. Hereby terminal equipment A when contacting network element B immediately gives it its identity data in the first message. B hereby knows who A is, but A does not know that B is only pretending to be A. Such a situation is possible e.g. in mobile station networks, whereby a “false” base station may take the place of the genuine one and thus eavesdrop on and control the radio traffic.
  • the present invention thus aims at a method by which it is possible to prevent the described situations, and such a case in particular where the terminal equipment never discloses its identity to any third party eavesdropping on the traffic between the terminal equipment and the network element and where the terminal equipment will disclose its identity only when being sure that the network element really is the one it declares itself to be, whereby when the network element is an impostor it will never know the true identity of the terminal equipment.
  • the proposed method is based on the fact that the commitment protocol applies bit commitment known from cryptography and a shared encryption key and that authentication is divided into two, whereby a part of the authentication is done by the terminal equipment and the other part is done by the network.
  • the terminal equipment first makes sure that the network element is authentic by performing authentication of the network element. In this connection the network element will disclose its own identity. Then the terminal equipment reveals its own identity to the network element by sending the necessary information on a protected channel. Finally, the network element authenticates the terminal equipment by using the identity information which it has disclosed. Only after this can traffic be started.
  • the terminal equipment requesting access in the commitment protocol first makes a pseudo identifier for itself, which it forms by applying a one-way hash function to its correct identifier.
  • the hash function is not applied to the identifier as such, but the correct identifier is first encrypted. This being the case, the network or network element upon receiving the pseudo identifier can not get to know the correct identifier without the code.
  • the terminal equipment When the network element has stated the traffic channel to the terminal equipment, about which it knows only the pseudo identifier at this stage, the terminal equipment will generate its own security key half, that is, the first partial key, and will send it to the network. On receiving the partial key the network element will also form its own security key half, that is, the second partial key. It sends these to the terminal equipment of the pseudo identifier, so both parties will at this stage have both partial keys in their possession.
  • the terminal equipment checks if the pseudo identifier received from the network element and the pseudo identifier it formed earlier itself are identical, and if they are, it will perform authentication of the network element in some known manner.
  • the network element After authentication, the network element has revealed itself to the terminal equipment, but the real identity of the terminal equipment is still known only to the terminal equipment. The network element will not get to know the real identity until the terminal equipment has sent information to it on how the true identity was encrypted before the use of the hash function.
  • the terminal equipment now send its own true identifier to the network element.
  • the terminal equipment forms a message containing a) its true identifier, b) information on how the true identifier was encrypted before application of the hash function. It encrypts the message before sending it by using a key formed both of the first and of the second partial key.
  • the network element receives the message, decodes it using the first and second partial key and checks if the contents of the message are correct. If they are, the network element will perform authentication of the terminal equipment by some known method.
  • traffic can be started on the traffic channel.
  • FIG. 1 shows state-of-the-art message exchange
  • FIG. 2 shows message exchange in a mobile telephone system
  • FIG. 3 shows a commitment protocol according to the invention
  • FIG. 4 illustrates exchange of messages.
  • FIG. 3 shows a method according to the invention as applied to a GSM cellular system. It thus contains the same elements as the basic procedure shown in FIG. 2, so the description will also refer to FIG. 2 when required.
  • the commitment protocol to be used in the invention requires five steps, each one of which is known from cryptography:
  • bit block commitment is described in detail in a book by Bruce Schneier: “Applied Cryptography, Second Edition, Protocols, Algorithms, and Source Code in C”, John Wiley & Sons; Inc, 1996, ISBN 0-471-11709-9. The method is such that
  • party A first forms random bit strings R 1 and R 2 .
  • bit string S e.g. an identifier, some message or other
  • Random bit strings R 1 and R 2 as well as identifier S are simply located one after the other in the message.
  • Party A applies a one-way hash function h to the message and sends the result h(R 1 , R 2 , S) and either one of the random strings, e.g. R 1 , to party B.
  • This transmission proves to B that A has really sent bit string S.
  • the use of a one-way hash function prevents B from inverting the function, and for this reason B, although knowing the hash function and one random string R 1 , can not get to know bit string S, because the other random string R 2 is hashed.
  • party A When it is time for party A to disclose bit string S, it will send the original message (R 1 , R 2 , S) to party B.
  • Party B applies a one-way hash function to this message and compares the result and random string R 1 to that which party A already sent earlier in step 3 . If all tally, the received string S is correct.
  • party B does not send even the first message.
  • H h(M)
  • M a binary string of arbitrary length
  • h a one-way hash function
  • H a binary string of fixed length
  • hash functions which may be used in this invention, SHA (Secure Hash Algorithm) and MD 5 (Message Digest Algorithm 5 ) may be mentioned, but it is of course possible in principle to use any kind of other known hash function.
  • SHA Secure Hash Algorithm
  • MD 5 Message Digest Algorithm 5
  • the purpose of the key exchange algorithm used in the commitment protocol is to form an encryption key for two or more parties even if there is no secure transfer channel between the parties.
  • the Diffie-Hellman key exchange described in the publication referred to above and the RSA public key encryption algorithm are well suited for use in this invention.
  • the mobile station sends a pseudo identifier AMSI. This it forms as follows by using the one-way hash function, step 311 , FIG. 3,
  • AMSI h(IMSI, RND 1 , RND 2 )
  • h is some one-way hash function
  • IMSI is the mobile station's real identifier
  • the first random number RND 1 is a string of binary figures of finite length
  • the second random number RND 2 is a string of binary figures of finite length.
  • the real identifier is coded in a sense with the first and second random numbers by simply placing the numbers and the identifier in a sequence to form a chain, and the hash function is applied to the chain.
  • the mobile station sends its pseudo identifier AMSI and the first random number RND 1 through the transmission network to the network element, step 312 .
  • the transmission network may be either just a radio path or a combination of radio path and cable network depending on whether the network element means a base station, a base station controller or a mobile telephone exchange.
  • the essential nature of the network element is not essential to the invention.
  • the base station controller receives relayed by the base station a channel request message containing a pseudo identifier AMSI, step 313 , whereupon it performs selection and activation of the traffic channel, as in the known method, that is, step 23 in FIG. 2, and in the normal manner sends a channel allocation message, wherein the allocated traffic channel is indicated, step 314 .
  • the mobile station first makes its own security key MKEY, which is here called the first partial key, step 315 .
  • MKEY which is here called the first partial key
  • Information contained in the first partial key is used in the key exchange procedure to be carried out later. It places the partial key which it has formed in the originating message and it signals the message to the base station on the indicated traffic channel, step 316 .
  • the network element receives the first partial key of the message, step 317 . It then makes its own security key BKEY, which is here called the second partial key, step 318 . Information contained in the second partial key is used in the key exchange procedure to be performed later. It then forms an acknowledgement message containing the pseudo identifier AMSI which it received earlier and the second encryption key BKEY which it has formed, and it sends an acknowledgement message to the mobile station, step 320 .
  • the mobile station receives the acknowledgement message, step 321 , and separates the elements of its contents. It examines first whether the pseudo identifier AMSI contained in the message is the same as the pseudo identifier AMSI which it created itself in step 311 . If the comparison, step 322 , shows that the pseudo identifiers are different, the mobile station will know that the traffic channel indicated in step 314 was not intended for itself, so it must start the access process from the beginning, from step 311 . If the comparison shows that the pseudo identifiers are identical, the mobile station will know that the traffic channel indicated in step 314 is really intended for itself.
  • the mobile station performs authentication of the network element to make sure that the network element, in this case a base station, really is what it claims to be.
  • the authentication procedure may be any procedure, e.g. the authentication procedure nowadays used in the GSM system is suitable.
  • the mobile station After a successful authentication the mobile station knows that it is dealing with a real base station and not with an impostor, so it is time for it to reveal its true identity. To this end it forms a message containing the real identifier IMSI (or the temporary identifier TMSI, if there is one), the first random number RND 1 and the second random number RND 2 . Thus, the message is the same as the one to which it applied the hash function in step 311 . Finally, it encrypts the whole message with encryption key BMKEY, which is formed of the first partial key MKEY and of the second partial key BKEY, step 324 . The mobile station sends this key-encrypted message to the network, step 325 .
  • IMSI real identifier
  • TMSI temporary identifier
  • step 326 the network element decodes the encrypted message by using security key BMKEY, which is a combination of the second partial key BKEY which it generated itself in step 318 and of the first partial key MKEY received from the mobile station in step 317 .
  • the network element then performs a check of the validity of elements contained in the message, step 327 .
  • First, it calculates the result of the formula AMSI h(IMSI; RND 1 , RND 2 ) calculated by using elements of the message. It then examines whether the AMSI produced by the formula is the same as the one it received earlier from the mobile station in step 313 .
  • the network element checks if the second random number RND 1 given in the message is the same as the one it received in step 313 . If all AMSIs are exactly identical and the second random numbers tally, the network element will be assured that the mobile station is exactly the same as the one at issue in the beginning of the process. If the received values do not tally fully in the check, the network element will interrupt the access protocol and will remove the traffic channel from use by this session, whereby it may be allocated to some other connection.
  • the network element will also perform authentication of the mobile station. If the authentication gives a proper result, traffic may commence on the indicated traffic channel.
  • the signal diagram in FIG. 4 shows messages which are exchanged on the radio path between mobile station MS and base station BTS in the procedure shown in FIG. 3 . Excepting authentication messages, there is hardly any more exchange of messages in the proposed method than in a state-of-the-art GSM system.
  • the main information exchanged in the messages is shown within parentheses in the figure.
  • the channels are also marked, and as can be noticed a major part of the messages is signaled on the traffic channel.
  • the purpose of the authentication of the network element, e.g. the base station, in steps 323 in FIGS. 3 and 4 is to provide the terminal equipment, e.g. the mobile station, with a possibility to check that it shares the secret key MBKEY with an honest network element, in other words, that the network element has such an operator's certificate which the terminal equipment trusts.
  • Authentication of the network element is limited by the circumstance that the terminal equipment must perform authentication based on that information only which the network element supplies.
  • ISO standard X.509 presents a set of authentication protocols which are suitable for use in this method. A brief description will be given of a straightforward protocol based on certificate and digital signature, as an example of a possible protocol by which the mobile station may make sure the relation of the base station and the key MBKEY:
  • MS sends a randomly chosen string of binary figures RDN 3 to the base station.
  • the base station receives the RDN 3 and makes a message containing a certificate and the RDN 3 . It signs the message with a digital signature and then encrypts the message by using the key MBKEY and sends the message to the mobile station.
  • the mobile station decodes the encrypted message, checks the signature, the signature to the certificate and makes sure that the string of random figures sent in the message is the same as the one which it has sent earlier to the base station. If the message passes all these checks, then the authentication has given a positive result.
  • the purpose of the authentication of terminal equipment, e.g. of a mobile station, by the network element in step 328 shown in FIGS. 3 and 4 is to give an honest network element a possibility to make sure that it shares a common secret key (MBKEY) with such a piece of terminal equipment, the identifier of which (IMSI/TMSI) is exactly the one which the terminal equipment has sent in its message revealing the true identifier in step 325 of FIG. 3 .
  • the authentication differs from the authentication performed by the terminal equipment (the mobile station) for the reason that the terminal equipment has already revealed its true identity. For this reason, the network element performs an inquiry to some suitable database of the network asking for information about the terminal equipment which has this very identifier (IMSI/TMSI). In a mobile network the database is by nature a home location register (HLR). If the register information relating to the identifier indicates that all is okay, then the authentication has given a positive result and traffic may commence.
  • HLR home location register
  • the identifier of the terminal equipment is sent in messages 1 , 4 and 6 . It results from the characteristics of the hash function described on page 7 that any trespasser can not possible calculate the true identifier from messages 1 and 4 .
  • the true identifier to be transmitted in step 6 is encrypted with a common key, which is known only to the parties, so any trespasser can not find out the identifier without breaking the encryption algorithm.
  • any foreign base station trying to put itself in the position of the real base station may indeed capture messages 1 - 4 , FIG. 4, but if the authentication of the base station performed by the terminal equipment proceeds as it should, it will realize that the base station is not genuine and will discontinue the protocol. As the terminal equipment has sent its pseudo identifier only, no deceitful base station will be able in any way to calculate the true identifier thanks to the characteristic of the one-way hash function.
  • an honest base station is able to conclude whether the terminal equipment for which the channel was allocated is that very terminal equipment which sent the channel request. Based on the characteristics of the one-way hash function presented on page 7 it is impossible for any other terminal equipment than the one which has sent the channel request to calculate such parameters that would lead to an acceptable final result after the reception of message 6 in the base station of FIG. 4 . Under these circumstances, the terminal equipment may on good grounds conclude if the traffic channel is intended exactly for itself, having received the acknowledgement message, message 4 in the figure.
  • the network element notices the attempt of a foreign terminal equipment to “steal” a traffic channel from the original requester, step 6 in FIG. 4, because it has received the pseudo identifier AMSI from the requester in the beginning of the protocol and because it is impossible for any foreign terminal equipment to calculate the second random number and the true identifier from the pseudo identifier.
  • the proposed commitment protocol adds to the traffic on the transmission path to some extent, mainly for the reason that message lengths will grow compared e.g. to typical message lengths in a GSM system.
  • the length of the pseudo identifier is 160 bits, if the MD5 algorithm is used as hash function. If the Diffie-Hellman key exchange algorithm is used in the key exchange, the amount of information to be transmitted will be at least 500-1000 bits.
  • the proposed commitment protocol may be applied within the scope of the claims to any telecommunications network where the terminal equipment using joint resources first requests a connection from the network for transmission of information and the network in response to the request indicates the required connection.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

In known telecommunications systems using multiple access the terminal equipment assumes that the network element is genuine while the network element assumes that the terminal equipment is genuine. This allows false terminal equipment, a false network element or a third party to penetrate the system. The proposed commitment protocol applies bit block commitment known from cryptography and a shared encryption key and the authentication is divided into two parts, whereby one part of it is done by the terminal equipment and the other part is done by the network. The terminal equipment (MS) sends to the network element (BTS) a pseudo identifier (AMSI) which it has formed, whereupon encryption keys (MKEY, BKEY) are exchanged. Only when the network element has revealed its true identity, will the terminal equipment send the required information (IMSI, RND1, RND2) encrypted with a combination of the keys. Finally, the network element authenticates the terminal equipment by using the identity information which it has revealed. Only then can operation commence.

Description

This application is a continuation of international application number PCT/FI97/00765, filed Dec. 8, 1997, pending.
FIELD OF THE INVENTION
This invention concerns origination of data transmission in a multiple access network, wherein the terminal equipment requests a channel for itself from the network using a common access channel intended for all terminal equipment and wherein in response to the request the network on a common access grant channel intended for all terminal equipment makes known that channel to the terminal equipment on which information transmission proper will take place.
BACKGROUND OF THE INVENTION
It is a general principle in telecommunications networks using multiple access that for using services of the network the terminal equipment by using some uplink access method must first inform the network of its desire to gain access to the network. This takes place so that e.g. a special channel is reserved in the network as a common channel for all terminal equipment, which send a request on this channel to obtain a service. Depending on the network, this request may contain just a request to have a channel for two-way data transmission or it may contain information on which particular service is desired and possibly also information on the desired channel capacity. The channel may be a stream type or packet channel. The layer relaying requests is called the Medium Access Control Sublayer (MAC layer) according to the OSI model and it uses services of the physical layer to produce services for the control layer of the logical link.
In time-division cellular multiple access networks a channel is assigned on which all mobile stations when forming mobile originated calls send a request for a traffic channel from the network. The request, which is relayed over the radio path to the base station and from this along a cable to the base station controller, contains the mobile station's identifier IMSI, so that the base station controller will know from whom the request has come. In a GSM system such a channel used by all is called Random Access Channel (RACH). Should collisions between requests occur on the channel, the mobile station will try again after a moment until the request is received. The network sends to the mobile stations acknowledgements of the requests on a channel to which all mobile stations are listening. In a GSM system this channel is called Access Grant Channel (AGCH): the acknowledgement contains the mobile station's identifier, from which the mobile station will know that the message is intended for itself, and the number of the channel allocated by the network as a traffic channel.
Access in accordance with the MAC protocol is also used in interactive cable TV systems, where a desired audiovisual service can be transferred to several recipients through a fixed network. The physical transfer path may be a coaxial cable and/or an optical cable or a radio network or the distribution may take place through a satellite. In the system the name Head End is given to a central place where an incoming dispatch is divided over several physical signal paths, such as several optical fibers, by which the dispatch is taken closer to the consumers. In the systems, transmission may take place both in downlink and uplink directions in time slots which are numbered starting from zero and ending with some max number, after which numbering starts again. The time slots 0, . . . , max form a frame. For terminals to be able to send information upwards, such a channel may be used in the uplink direction where the access form is Aloha, whereby all subscribers may send requests in any time slot. The network acknowledges a successful transmission by echo checking on a downlink channel. In the uplink direction, only a certain time slot may alternatively be used for sending requests. This is a slotted Aloha access type. It is essential also in these systems for the terminal to include its identifiers in its access message, so that the Head End may know who sent the request.
It is characteristic according to FIG. 1 for systems of the described type that when several terminal equipment A wish to communicate with network B, they request a private channel on a common channel U. The request message contains requester A's identifier. The network element may perform authentication of the requester, and if the matter is OK, it will allocate a private channel T for the requestor and will send information about the channel either on the same common channel U or on another common return path channel D. The information contains requester A's identifier. A receives the message and begins communicating on the allocated channel T.
FIG. 2 shows exchange of messages used in network access in a known GSM mobile telephone system. When a mobile station wishes to form a call, it sends on a one-way (uplink direction) Random Access Channel (RACH) to the base station a Channel Request to have a Traffic Channel (TCH) at its disposal, step 211. The request contains a 5-bit random number, which first functions as the mobile station's identifier. The base station receives, step 213, and relays the request to the base station controller, which selects a free channel, activates it on the base station, step 212, and then forms an Immediate Assignment, which the base station sends on a Paging and Access Grant Channel (PAGCH) to the mobile station, step 214. The assignment contains a description of the allocated channel, a preset timing value, the transmission power value to be used and the same 5-bit random number which was sent by the mobile station, and also the time slot number with which the base station had received the channel request. With this information the mobile station is able to distinguish the message intended for itself and will learn the allocated traffic channel, step 215.
The mobile station then signals to the base station on the traffic channel the link layer initial message containing the SABM frame. In this message the mobile station states its identity IMSI (International Mobile Subscriber Identity) or its Temporary Mobile Subscriber Identity (TMSI), step 224. The base station receives the message, step 226, and acknowledges it with a response message, the UA frame of which contains the identity of the mobile station, step 228. The mobile station compares its own identity with the received identity, step 223, and if the identities are similar, it will know that the traffic channel is reserved for itself.
Before starting operation, authentication is also performed on the principle that the network puts a question to the mobile station to which only the right mobile station will know the answer. Authentication is based on an authentication algorithm A3 and on a subscriber-specific authentication key Ki. In the early part of authentication the authentication center AuC sends a question to the mobile station which is a random number RAND. The mobile station receives the RAND, transfers it to the SIM card, which performs the A3 algorithm with its aid and with the aid of the subscriber-specific key Ki in the card. The Signed Result (SRES) is sent by the mobile station to the network. Authentication center AuC compares the SRES value with the value which it has computed itself using the same A3 algorithm, RAND and key Ki. If the SRESs are identical, the authentication is approved, otherwise the subscriber is denied access to the network. The mobile station uses the received RAND and Ki values also for computing a connection-specific encryption key Kc. In the network, authentication center AuC performs the same algorithm with the same values, thus resulting in the same encryption key. Both store the key in memory and in addition the mobile station sends the key to authentication center AuC, which checks to make sure that both are using the same keys.
It is a noteworthy feature in the process shown in FIG. 2 that the mobile station has sent its own identity to the network before it is quite sure that the traffic channel is allocated to itself and to nobody else.
It is taken for granted in known systems of the type shown in FIG. 1 that the party A requesting access knows as a matter of course that network element B is exactly what A assumes it to be and that network element B will not doubt that the terminal equipment using the received symbol is terminal equipment A.
It is a problem in these systems that the network always performs the authentication. It is hereby possible for a third party to come between the identifying party and the one to be identified, to eavesdrop on the first messages and to put himself in the other party's place. This is possible especially if a part of the transmission path between A and B is a radio path, which is the case in mobile telephone networks, but likewise in fixed networks a third party may connect to the line and eavesdrop on the traffic. It is hereby possible for the third party to capture a channel request message sent by terminal equipment A and to interpret from this the request and, above all, A's identifier. It will then in one way or another eliminate terminal equipment A and take its place. It then receives the channel allocation message sent by the network element, connects to the channel pretending to be terminal equipment A and thus gains access to the network. There is no possibility for network element B to know that it is communicating with a third party instead of the genuine terminal equipment A.
It is also possible for network element B to be the impostor. Hereby terminal equipment A when contacting network element B immediately gives it its identity data in the first message. B hereby knows who A is, but A does not know that B is only pretending to be A. Such a situation is possible e.g. in mobile station networks, whereby a “false” base station may take the place of the genuine one and thus eavesdrop on and control the radio traffic.
It is not possible with state-of-the-art systems to prevent situations as those described above. The present invention thus aims at a method by which it is possible to prevent the described situations, and such a case in particular where the terminal equipment never discloses its identity to any third party eavesdropping on the traffic between the terminal equipment and the network element and where the terminal equipment will disclose its identity only when being sure that the network element really is the one it declares itself to be, whereby when the network element is an impostor it will never know the true identity of the terminal equipment.
The method according to the invention is characterized by the features defined in the independent claims.
BRIEF SUMMARY OF THE INVENTION
The proposed method is based on the fact that the commitment protocol applies bit commitment known from cryptography and a shared encryption key and that authentication is divided into two, whereby a part of the authentication is done by the terminal equipment and the other part is done by the network. The terminal equipment first makes sure that the network element is authentic by performing authentication of the network element. In this connection the network element will disclose its own identity. Then the terminal equipment reveals its own identity to the network element by sending the necessary information on a protected channel. Finally, the network element authenticates the terminal equipment by using the identity information which it has disclosed. Only after this can traffic be started.
The terminal equipment requesting access in the commitment protocol first makes a pseudo identifier for itself, which it forms by applying a one-way hash function to its correct identifier. The hash function is not applied to the identifier as such, but the correct identifier is first encrypted. This being the case, the network or network element upon receiving the pseudo identifier can not get to know the correct identifier without the code. When the network element has stated the traffic channel to the terminal equipment, about which it knows only the pseudo identifier at this stage, the terminal equipment will generate its own security key half, that is, the first partial key, and will send it to the network. On receiving the partial key the network element will also form its own security key half, that is, the second partial key. It sends these to the terminal equipment of the pseudo identifier, so both parties will at this stage have both partial keys in their possession.
The terminal equipment checks if the pseudo identifier received from the network element and the pseudo identifier it formed earlier itself are identical, and if they are, it will perform authentication of the network element in some known manner.
After authentication, the network element has revealed itself to the terminal equipment, but the real identity of the terminal equipment is still known only to the terminal equipment. The network element will not get to know the real identity until the terminal equipment has sent information to it on how the true identity was encrypted before the use of the hash function.
The terminal equipment now send its own true identifier to the network element. For this purpose, the terminal equipment forms a message containing a) its true identifier, b) information on how the true identifier was encrypted before application of the hash function. It encrypts the message before sending it by using a key formed both of the first and of the second partial key.
The network element receives the message, decodes it using the first and second partial key and checks if the contents of the message are correct. If they are, the network element will perform authentication of the terminal equipment by some known method.
After a successfully performed commitment protocol and mutual authentication, traffic can be started on the traffic channel.
LIST OF FIGURES
The invention will be described in greater detail referring to the enclosed diagrammatic drawings, wherein
FIG. 1 shows state-of-the-art message exchange;
FIG. 2 shows message exchange in a mobile telephone system;
FIG. 3 shows a commitment protocol according to the invention; and
FIG. 4 illustrates exchange of messages.
DESCRIPTION OF THE INVENTION IN DETAIL
FIG. 3 shows a method according to the invention as applied to a GSM cellular system. It thus contains the same elements as the basic procedure shown in FIG. 2, so the description will also refer to FIG. 2 when required.
The commitment protocol to be used in the invention requires five steps, each one of which is known from cryptography:
1. bit block commitment,
2. exchange of keys,
3. identification of the network element,
4. revealing the terminal equipment's identity to the network element, and
5. identification of the terminal equipment.
The method of bit block commitment is described in detail in a book by Bruce Schneier: “Applied Cryptography, Second Edition, Protocols, Algorithms, and Source Code in C”, John Wiley & Sons; Inc, 1996, ISBN 0-471-11709-9. The method is such that
1) party A first forms random bit strings R1 and R2.
2) Then it forms a message containing these random bit strings and that bit string S (e.g. an identifier, some message or other), which it wishes to give to party B, however, so that party B will not get to know bit string S without A's permission. Random bit strings R1 and R2 as well as identifier S are simply located one after the other in the message.
3) Party A applies a one-way hash function h to the message and sends the result h(R1, R2, S) and either one of the random strings, e.g. R1, to party B. This transmission proves to B that A has really sent bit string S. The use of a one-way hash function prevents B from inverting the function, and for this reason B, although knowing the hash function and one random string R1, can not get to know bit string S, because the other random string R2 is hashed.
4) When it is time for party A to disclose bit string S, it will send the original message (R1, R2, S) to party B.
5) Party B applies a one-way hash function to this message and compares the result and random string R1 to that which party A already sent earlier in step 3. If all tally, the received string S is correct.
In this known method, party B does not send even the first message. It is a known property of the one-way hash function that from a binary string of arbitrary length it will produce a string of a fixed length, “a secure fingerprint”. Hereby, when H=h(M), wherein M is a binary string of arbitrary length, h is a one-way hash function and H is a binary string of fixed length, the following will hold: a) when M is given, H may be easily calculated, b) when H is given, it is impossible to find such an M that h(M)=H would be true, c) when M is given, it is impossible to find such an M′ that h(M′)=h(M) would be true, and d) it is impossible to find two random strings M and M′ so that h(M)=h(M′) would be true.
Of known hash functions which may be used in this invention, SHA (Secure Hash Algorithm) and MD5 (Message Digest Algorithm 5) may be mentioned, but it is of course possible in principle to use any kind of other known hash function.
The purpose of the key exchange algorithm used in the commitment protocol is to form an encryption key for two or more parties even if there is no secure transfer channel between the parties. The Diffie-Hellman key exchange described in the publication referred to above and the RSA public key encryption algorithm are well suited for use in this invention.
The commitment protocol according to the invention will now be described referring to FIG. 3. Instead of sending only a random number in the channel request message on the call channel, the mobile station sends a pseudo identifier AMSI. This it forms as follows by using the one-way hash function, step 311, FIG. 3,
AMSI=h(IMSI, RND1, RND2)
wherein h is some one-way hash function, IMSI is the mobile station's real identifier, the first random number RND1 is a string of binary figures of finite length while the second random number RND2 is a string of binary figures of finite length. Thus, the real identifier is coded in a sense with the first and second random numbers by simply placing the numbers and the identifier in a sequence to form a chain, and the hash function is applied to the chain. The mobile station sends its pseudo identifier AMSI and the first random number RND1 through the transmission network to the network element, step 312.
It should be noted that the transmission network may be either just a radio path or a combination of radio path and cable network depending on whether the network element means a base station, a base station controller or a mobile telephone exchange. The essential nature of the network element is not essential to the invention.
The base station controller receives relayed by the base station a channel request message containing a pseudo identifier AMSI, step 313, whereupon it performs selection and activation of the traffic channel, as in the known method, that is, step 23 in FIG. 2, and in the normal manner sends a channel allocation message, wherein the allocated traffic channel is indicated, step 314.
Then some transactions are performed in the commitment protocol before the real identifier IMSI is revealed. The mobile station first makes its own security key MKEY, which is here called the first partial key, step 315. Information contained in the first partial key is used in the key exchange procedure to be carried out later. It places the partial key which it has formed in the originating message and it signals the message to the base station on the indicated traffic channel, step 316.
The network element receives the first partial key of the message, step 317. It then makes its own security key BKEY, which is here called the second partial key, step 318. Information contained in the second partial key is used in the key exchange procedure to be performed later. It then forms an acknowledgement message containing the pseudo identifier AMSI which it received earlier and the second encryption key BKEY which it has formed, and it sends an acknowledgement message to the mobile station, step 320.
The mobile station receives the acknowledgement message, step 321, and separates the elements of its contents. It examines first whether the pseudo identifier AMSI contained in the message is the same as the pseudo identifier AMSI which it created itself in step 311. If the comparison, step 322, shows that the pseudo identifiers are different, the mobile station will know that the traffic channel indicated in step 314 was not intended for itself, so it must start the access process from the beginning, from step 311. If the comparison shows that the pseudo identifiers are identical, the mobile station will know that the traffic channel indicated in step 314 is really intended for itself.
In the following step 323, the mobile station performs authentication of the network element to make sure that the network element, in this case a base station, really is what it claims to be. The authentication procedure may be any procedure, e.g. the authentication procedure nowadays used in the GSM system is suitable.
After a successful authentication the mobile station knows that it is dealing with a real base station and not with an impostor, so it is time for it to reveal its true identity. To this end it forms a message containing the real identifier IMSI (or the temporary identifier TMSI, if there is one), the first random number RND1 and the second random number RND2. Thus, the message is the same as the one to which it applied the hash function in step 311. Finally, it encrypts the whole message with encryption key BMKEY, which is formed of the first partial key MKEY and of the second partial key BKEY, step 324. The mobile station sends this key-encrypted message to the network, step 325.
Now then, it is time for the network element to see which is the mobile station's true identifier. First, step 326, the network element decodes the encrypted message by using security key BMKEY, which is a combination of the second partial key BKEY which it generated itself in step 318 and of the first partial key MKEY received from the mobile station in step 317. The network element then performs a check of the validity of elements contained in the message, step 327. First, it calculates the result of the formula AMSI=h(IMSI; RND1, RND2) calculated by using elements of the message. It then examines whether the AMSI produced by the formula is the same as the one it received earlier from the mobile station in step 313. Finally, it checks if the second random number RND1 given in the message is the same as the one it received in step 313. If all AMSIs are exactly identical and the second random numbers tally, the network element will be assured that the mobile station is exactly the same as the one at issue in the beginning of the process. If the received values do not tally fully in the check, the network element will interrupt the access protocol and will remove the traffic channel from use by this session, whereby it may be allocated to some other connection.
If all things are okay so far, the network element will also perform authentication of the mobile station. If the authentication gives a proper result, traffic may commence on the indicated traffic channel.
The signal diagram in FIG. 4 shows messages which are exchanged on the radio path between mobile station MS and base station BTS in the procedure shown in FIG. 3. Excepting authentication messages, there is hardly any more exchange of messages in the proposed method than in a state-of-the-art GSM system. The main information exchanged in the messages is shown within parentheses in the figure. The channels are also marked, and as can be noticed a major part of the messages is signaled on the traffic channel.
The purpose of the authentication of the network element, e.g. the base station, in steps 323 in FIGS. 3 and 4 is to provide the terminal equipment, e.g. the mobile station, with a possibility to check that it shares the secret key MBKEY with an honest network element, in other words, that the network element has such an operator's certificate which the terminal equipment trusts. Authentication of the network element is limited by the circumstance that the terminal equipment must perform authentication based on that information only which the network element supplies. ISO standard X.509 presents a set of authentication protocols which are suitable for use in this method. A brief description will be given of a straightforward protocol based on certificate and digital signature, as an example of a possible protocol by which the mobile station may make sure the relation of the base station and the key MBKEY:
1. MS sends a randomly chosen string of binary figures RDN3 to the base station.
2. The base station receives the RDN3 and makes a message containing a certificate and the RDN3. It signs the message with a digital signature and then encrypts the message by using the key MBKEY and sends the message to the mobile station.
3. The mobile station decodes the encrypted message, checks the signature, the signature to the certificate and makes sure that the string of random figures sent in the message is the same as the one which it has sent earlier to the base station. If the message passes all these checks, then the authentication has given a positive result.
The purpose of the authentication of terminal equipment, e.g. of a mobile station, by the network element in step 328 shown in FIGS. 3 and 4 is to give an honest network element a possibility to make sure that it shares a common secret key (MBKEY) with such a piece of terminal equipment, the identifier of which (IMSI/TMSI) is exactly the one which the terminal equipment has sent in its message revealing the true identifier in step 325 of FIG. 3. The authentication differs from the authentication performed by the terminal equipment (the mobile station) for the reason that the terminal equipment has already revealed its true identity. For this reason, the network element performs an inquiry to some suitable database of the network asking for information about the terminal equipment which has this very identifier (IMSI/TMSI). In a mobile network the database is by nature a home location register (HLR). If the register information relating to the identifier indicates that all is okay, then the authentication has given a positive result and traffic may commence.
When using a commitment protocol according to the invention, at least three security factors will be achieved:
Firstly, it is impossible for a third party to find out the identifier of the terminal equipment when performing the protocol. It can be seen from FIG. 4 that the identifier of the terminal equipment is sent in messages 1, 4 and 6. It results from the characteristics of the hash function described on page 7 that any trespasser can not possible calculate the true identifier from messages 1 and 4. The true identifier to be transmitted in step 6 is encrypted with a common key, which is known only to the parties, so any trespasser can not find out the identifier without breaking the encryption algorithm.
Secondly, any foreign base station trying to put itself in the position of the real base station may indeed capture messages 1-4, FIG. 4, but if the authentication of the base station performed by the terminal equipment proceeds as it should, it will realize that the base station is not genuine and will discontinue the protocol. As the terminal equipment has sent its pseudo identifier only, no deceitful base station will be able in any way to calculate the true identifier thanks to the characteristic of the one-way hash function.
Thirdly, an honest base station is able to conclude whether the terminal equipment for which the channel was allocated is that very terminal equipment which sent the channel request. Based on the characteristics of the one-way hash function presented on page 7 it is impossible for any other terminal equipment than the one which has sent the channel request to calculate such parameters that would lead to an acceptable final result after the reception of message 6 in the base station of FIG. 4. Under these circumstances, the terminal equipment may on good grounds conclude if the traffic channel is intended exactly for itself, having received the acknowledgement message, message 4 in the figure.
The network element notices the attempt of a foreign terminal equipment to “steal” a traffic channel from the original requester, step 6 in FIG. 4, because it has received the pseudo identifier AMSI from the requester in the beginning of the protocol and because it is impossible for any foreign terminal equipment to calculate the second random number and the true identifier from the pseudo identifier.
The proposed commitment protocol adds to the traffic on the transmission path to some extent, mainly for the reason that message lengths will grow compared e.g. to typical message lengths in a GSM system. The length of the pseudo identifier is 160 bits, if the MD5 algorithm is used as hash function. If the Diffie-Hellman key exchange algorithm is used in the key exchange, the amount of information to be transmitted will be at least 500-1000 bits.
The proposed commitment protocol may be applied within the scope of the claims to any telecommunications network where the terminal equipment using joint resources first requests a connection from the network for transmission of information and the network in response to the request indicates the required connection.

Claims (6)

What is claimed is:
1. Method of authentication between communicating parties in a telecommunications network, wherein a network element and terminal equipment perform authentication of each other and wherein the network element in response to an access message of the terminal equipment allocates a traffic channel on which the traffic is carried out, the method comprising:
forming in the terminal equipment a pseudo identifier by applying a one-way hash function to content elements comprising a true identifier of the terminal equipment and two random numbers;
sending the pseudo identifier and one of the random numbers in the access message;
forming in the terminal equipment a first partial key;
sending the first partial key to the network element on the traffic channel;
forming in the network element a second partial key;
sending the second partial key and the pseudo identifier to the terminal equipment on the traffic channel;
performing in the terminal equipment authentication of the network element;
forming in the terminal equipment, after successful authentication, a new message containing the true identifier non-encrypted; and
sending to the network element on the traffic channel the new message encrypted with both partial keys.
2. Method as defined in claim 1, wherein when the pseudo identifier received by the terminal equipment and the pseudo identifier which it formed earlier are identical, the terminal equipment will perform authentication of the network element.
3. Method as defined in claim 2, wherein after a successful authentication the terminal equipment will form a new message containing content elements of the hash function and will send the new message to the network element encrypted with the first and second partial keys.
4. Method as defined in claim 3, wherein the network element deciphers the encryption of the new message using the first and second partial keys and performs authentication of the content elements.
5. Method as defined in claim 4, wherein in the authentication the network element:
applies a hash function to the content elements and compares the result with that pseudo identifier which it has received earlier in the access message,
it compares to find out whether the second random number stated in the message is identical to the one which it received earlier in the access message.
6. Method as defined in claim 5, wherein when comparisons show that the pseudo identifier and the second random number are true, the network element will perform authentication of the terminal equipment.
US09/327,609 1997-12-08 1999-06-08 Authentication between communicating parties in a telecommunications network Expired - Lifetime US6225888B1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/FI1997/000765 WO1998026538A1 (en) 1996-12-10 1997-12-08 Authentication between communicating parties in a telecommunications network

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI1997/000765 Continuation WO1998026538A1 (en) 1996-12-10 1997-12-08 Authentication between communicating parties in a telecommunications network

Publications (1)

Publication Number Publication Date
US6225888B1 true US6225888B1 (en) 2001-05-01

Family

ID=8556696

Family Applications (1)

Application Number Title Priority Date Filing Date
US09/327,609 Expired - Lifetime US6225888B1 (en) 1997-12-08 1999-06-08 Authentication between communicating parties in a telecommunications network

Country Status (1)

Country Link
US (1) US6225888B1 (en)

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020049760A1 (en) * 2000-06-16 2002-04-25 Flycode, Inc. Technique for accessing information in a peer-to-peer network
US20020091933A1 (en) * 2001-01-05 2002-07-11 Quick Roy F. Local Authentication in a communication system
US20020144117A1 (en) * 2001-03-30 2002-10-03 Faigle Christopher T. System and method for securely copying a cryptographic key
US6487294B1 (en) * 1999-03-09 2002-11-26 Paul F. Alexander Secure satellite communications system
US20030018715A1 (en) * 2001-06-14 2003-01-23 O'neill Alan Enabling foreign network multicasting for a roaming mobile node, in a foreign network, using a persistent address
US20030031322A1 (en) * 2001-08-07 2003-02-13 Mark Beckmann Method for conveying encryption information to parties in a multicast group
US20030039234A1 (en) * 2001-08-10 2003-02-27 Mukesh Sharma System and method for secure network roaming
US20030098775A1 (en) * 2000-05-09 2003-05-29 Michel Hazard Method for authenticating a portable object, corresponding portable object, and apparatus therefor
US20030112976A1 (en) * 2001-12-17 2003-06-19 Quick Roy Franklin Secure generation of temporary mobile station identifiers
US6611194B1 (en) * 1997-03-04 2003-08-26 Mannesmann Ag Method for inserting a service key in a terminal and devices for implementing said method
WO2003084123A1 (en) * 2002-03-22 2003-10-09 General Instrument Corporation End-to-end protection of media stream encryption keys for voice-over-ip systems
US20030223439A1 (en) * 2002-04-08 2003-12-04 O'neill Alan Support of disparate addressing plans and dynamic HA address allocation in mobile IP
US20040003059A1 (en) * 2002-06-26 2004-01-01 Kitchin Duncan M. Active key for wireless device configuration
WO2004036823A1 (en) * 2002-10-15 2004-04-29 Flarion Technologies, Inc. Method and apparatus for providing authentication, authorization and accounting roaming nodes
US20040133807A1 (en) * 2002-09-23 2004-07-08 John Hane System, method and software application for secure communication
US20040170125A1 (en) * 2001-06-26 2004-09-02 O'neill Alan Methods and apparatus for controlling access link packet flow aggregation and resource allocation in a mobile communications system
US20040170156A1 (en) * 2001-06-26 2004-09-02 O'neill Alan Methods and apparatus for controlling resource allocation where tunneling and access link packet aggregation are used in combination
US20050063544A1 (en) * 2001-12-07 2005-03-24 Ilkka Uusitalo Lawful interception of end-to-end encrypted data traffic
US20050174984A1 (en) * 2004-02-06 2005-08-11 O'neill Alan Methods and apparatus for separating home agent functionality
US20060109829A1 (en) * 2001-06-26 2006-05-25 O'neill Alan Messages and control methods for controlling resource allocation and flow admission control in a mobile communications system
US7068623B1 (en) 2000-01-10 2006-06-27 Nortel Networks Limited Communicating traffic over a wireless channel in a mobile communications system
US20060153237A1 (en) * 1998-05-06 2006-07-13 Lg Electronics Inc. Communication system with improved medium access control sub-layer
US20070076879A1 (en) * 2005-10-03 2007-04-05 Nokia Corporation System, method and computer program product for authenticating a data agreement between network entities
US20070082669A1 (en) * 2005-10-11 2007-04-12 Telefonaktiebolaget Lm Ericsson (Publ) Efficient sharing of mobile equipment identifiers
US20070153676A1 (en) * 2005-12-30 2007-07-05 Baglin Vincent B Recovery methods for restoring service in a distributed radio access network
US20070298788A1 (en) * 2002-10-15 2007-12-27 Corson Mathew S Profile modification for roaming in a communications environment
US20080019306A1 (en) * 2006-03-20 2008-01-24 Aleksandar Damnjanovic Apparatus and method for fast access in a wireless communication system
US20080051117A1 (en) * 2004-03-16 2008-02-28 Rajendra Khare Integration of secure identification logic into cell phone
WO2008063814A2 (en) * 2006-11-21 2008-05-29 Motorola, Inc. Method and system for establishing a call in a communication network
US20080152149A1 (en) * 2006-12-21 2008-06-26 Frederic Bauchot Secure data distribution
US20080155260A1 (en) * 2006-10-10 2008-06-26 Qualcomm Incorporated Method and apparatus for mutual authentication
US20090213733A1 (en) * 2008-02-22 2009-08-27 Padmanabha Nallur Role determination for network devices
US7586949B1 (en) 2000-04-03 2009-09-08 Nortel Networks Limited Interleaving data over frames communicated in a wireless channel
EP2259545A1 (en) * 2009-06-05 2010-12-08 Gemalto SA Method for calculating a first identifier of a secured element of a mobile terminal from a second identifier of this secured element
US9313784B2 (en) 2005-09-19 2016-04-12 Qualcomm Incorporated State synchronization of access routers
US20180007557A1 (en) * 2016-07-01 2018-01-04 Qualcomm Incorporated Core network connectionless small data transfer
US11240218B2 (en) * 2016-04-27 2022-02-01 Huawei Technologies Co., Ltd. Key distribution and authentication method and system, and apparatus

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1991014348A1 (en) 1990-03-09 1991-09-19 Telefonaktiebolaget Lm Ericsson A method of carrying out an authentication check between a base station and a mobile station in a mobile radio system
EP0477380A1 (en) * 1990-03-30 1992-04-01 Kabushiki Kaisha Toshiba Output circuit of sense amplifier used in semiconductor memory
US5345506A (en) 1992-06-11 1994-09-06 Kokusai Denshin Denwa Kabushiki Kaisha Mutual authentication/cipher key distribution system
EP0615333A2 (en) 1993-03-10 1994-09-14 Lucas Industries Public Limited Company A winding connector for a rotary electrical component
WO1996013920A1 (en) 1994-10-27 1996-05-09 International Business Machines Corporation Method and apparatus for secure identification of a mobile user in a communication network
US5572193A (en) 1990-12-07 1996-11-05 Motorola, Inc. Method for authentication and protection of subscribers in telecommunications systems
US5671285A (en) * 1995-12-13 1997-09-23 Newman; Bruce D. Secure communication system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1991014348A1 (en) 1990-03-09 1991-09-19 Telefonaktiebolaget Lm Ericsson A method of carrying out an authentication check between a base station and a mobile station in a mobile radio system
EP0477380A1 (en) * 1990-03-30 1992-04-01 Kabushiki Kaisha Toshiba Output circuit of sense amplifier used in semiconductor memory
US5572193A (en) 1990-12-07 1996-11-05 Motorola, Inc. Method for authentication and protection of subscribers in telecommunications systems
US5345506A (en) 1992-06-11 1994-09-06 Kokusai Denshin Denwa Kabushiki Kaisha Mutual authentication/cipher key distribution system
EP0615333A2 (en) 1993-03-10 1994-09-14 Lucas Industries Public Limited Company A winding connector for a rotary electrical component
WO1996013920A1 (en) 1994-10-27 1996-05-09 International Business Machines Corporation Method and apparatus for secure identification of a mobile user in a communication network
US5671285A (en) * 1995-12-13 1997-09-23 Newman; Bruce D. Secure communication system

Cited By (87)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6611194B1 (en) * 1997-03-04 2003-08-26 Mannesmann Ag Method for inserting a service key in a terminal and devices for implementing said method
US20060153237A1 (en) * 1998-05-06 2006-07-13 Lg Electronics Inc. Communication system with improved medium access control sub-layer
US8045583B2 (en) 1998-05-06 2011-10-25 Lg Electronics Inc. Communication condition information in a mobile terminal and network of a wireless communication system
US20070293221A1 (en) * 1998-05-06 2007-12-20 In Tae Hwang Communication system with improved medium access control sub-layer
US20070293185A1 (en) * 1998-05-06 2007-12-20 In Tae Hwang Communication system with improved medium access control sub-layer
US20070291651A1 (en) * 1998-05-06 2007-12-20 Hwang In T Communication system with improved medium access control sub-layer
US7995613B2 (en) * 1998-05-06 2011-08-09 Lg Electronics Inc. Communication system with improved medium access control sub-layer
US6487294B1 (en) * 1999-03-09 2002-11-26 Paul F. Alexander Secure satellite communications system
US7068623B1 (en) 2000-01-10 2006-06-27 Nortel Networks Limited Communicating traffic over a wireless channel in a mobile communications system
US7586949B1 (en) 2000-04-03 2009-09-08 Nortel Networks Limited Interleaving data over frames communicated in a wireless channel
US8406172B2 (en) 2000-04-03 2013-03-26 Apple Inc. Interleaving data over frames communicated in a wireless channel
US20030098775A1 (en) * 2000-05-09 2003-05-29 Michel Hazard Method for authenticating a portable object, corresponding portable object, and apparatus therefor
US6977577B2 (en) * 2000-05-09 2005-12-20 Cp8 Technologies Method for authenticating a portable object, corresponding portable object, and apparatus therefor
US20060149806A1 (en) * 2000-06-16 2006-07-06 Qurio Holdings, Inc. Hashing algorithm used for multiple files having identical content and fingerprint in a peer-to-peer network
US7660853B2 (en) 2000-06-16 2010-02-09 Qurio Holdings, Inc. Hashing algorithm used for multiple files having identical content and fingerprint in a peer-to-peer network
US20020049760A1 (en) * 2000-06-16 2002-04-25 Flycode, Inc. Technique for accessing information in a peer-to-peer network
US7751567B2 (en) 2001-01-05 2010-07-06 Qualcomm Incorporated Local authentication of mobile subscribers outside their home systems
US20050257255A1 (en) * 2001-01-05 2005-11-17 Quick Roy F Jr Local authentication of mobile subscribers outside their home systems
US20020091933A1 (en) * 2001-01-05 2002-07-11 Quick Roy F. Local Authentication in a communication system
US7668315B2 (en) * 2001-01-05 2010-02-23 Qualcomm Incorporated Local authentication of mobile subscribers outside their home systems
US7178027B2 (en) * 2001-03-30 2007-02-13 Capital One-Financial Corp. System and method for securely copying a cryptographic key
US20020144117A1 (en) * 2001-03-30 2002-10-03 Faigle Christopher T. System and method for securely copying a cryptographic key
US20080151808A1 (en) * 2001-06-14 2008-06-26 O'neill Alan Enabling foreign network multicasting for a roaming mobile node, in a foreign network, using a persistent address
US7339903B2 (en) 2001-06-14 2008-03-04 Qualcomm Incorporated Enabling foreign network multicasting for a roaming mobile node, in a foreign network, using a persistent address
US20030018715A1 (en) * 2001-06-14 2003-01-23 O'neill Alan Enabling foreign network multicasting for a roaming mobile node, in a foreign network, using a persistent address
US8102792B2 (en) 2001-06-14 2012-01-24 Qualcomm Incorporated Enabling foreign network multicasting for a roaming mobile node, in a foreign network, using a persistent address
US20060109829A1 (en) * 2001-06-26 2006-05-25 O'neill Alan Messages and control methods for controlling resource allocation and flow admission control in a mobile communications system
US8023410B2 (en) 2001-06-26 2011-09-20 Qualcomm Incorporated Messages and control methods for controlling resource allocation and flow admission control in a mobile communications system
US20040170156A1 (en) * 2001-06-26 2004-09-02 O'neill Alan Methods and apparatus for controlling resource allocation where tunneling and access link packet aggregation are used in combination
US8000241B2 (en) 2001-06-26 2011-08-16 Qualcomm Incorporated Methods and apparatus for controlling access link packet flow aggregation and resource allocation in a mobile communications system
US7474650B2 (en) 2001-06-26 2009-01-06 Qualcomm Incorporated Methods and apparatus for controlling resource allocation where tunneling and access link packet aggregation are used in combination
US20040170125A1 (en) * 2001-06-26 2004-09-02 O'neill Alan Methods and apparatus for controlling access link packet flow aggregation and resource allocation in a mobile communications system
US20030031322A1 (en) * 2001-08-07 2003-02-13 Mark Beckmann Method for conveying encryption information to parties in a multicast group
US20030039234A1 (en) * 2001-08-10 2003-02-27 Mukesh Sharma System and method for secure network roaming
US7389412B2 (en) * 2001-08-10 2008-06-17 Interactive Technology Limited Of Hk System and method for secure network roaming
US7382881B2 (en) * 2001-12-07 2008-06-03 Telefonaktiebolaget L M Ericsson (Publ) Lawful interception of end-to-end encrypted data traffic
US20050063544A1 (en) * 2001-12-07 2005-03-24 Ilkka Uusitalo Lawful interception of end-to-end encrypted data traffic
US20030112976A1 (en) * 2001-12-17 2003-06-19 Quick Roy Franklin Secure generation of temporary mobile station identifiers
US7515713B2 (en) * 2001-12-17 2009-04-07 Qualcomm Incorporated Secure generation of temporary mobile station identifiers
KR101013427B1 (en) * 2002-03-22 2011-02-14 제너럴 인스트루먼트 코포레이션 End-to-end protection of media stream encryption keys for voice-over-IP systems
US6792534B2 (en) * 2002-03-22 2004-09-14 General Instrument Corporation End-to end protection of media stream encryption keys for voice-over-IP systems
WO2003084123A1 (en) * 2002-03-22 2003-10-09 General Instrument Corporation End-to-end protection of media stream encryption keys for voice-over-ip systems
US9131367B2 (en) 2002-04-08 2015-09-08 Qualcomm Incorporated Support of disparate addressing plans and dynamic HA address allocation in mobile IP
US7356020B2 (en) 2002-04-08 2008-04-08 Qualcomm Incorporated Support of disparate addressing plans and dynamic HA address allocation in mobile IP
US8559411B2 (en) 2002-04-08 2013-10-15 Qualcomm Incorporated Support of disparate addressing plans and dynamic HA address allocation in mobile IP
US20080240033A1 (en) * 2002-04-08 2008-10-02 O'neill Alan Support of disparate addressing plans and dynamic ha address allocation in mobile ip
US20030223439A1 (en) * 2002-04-08 2003-12-04 O'neill Alan Support of disparate addressing plans and dynamic HA address allocation in mobile IP
US20040003059A1 (en) * 2002-06-26 2004-01-01 Kitchin Duncan M. Active key for wireless device configuration
US8799637B2 (en) 2002-09-23 2014-08-05 Xanadoo Company System, method and software application for secure communication
US20040133807A1 (en) * 2002-09-23 2004-07-08 John Hane System, method and software application for secure communication
WO2004036823A1 (en) * 2002-10-15 2004-04-29 Flarion Technologies, Inc. Method and apparatus for providing authentication, authorization and accounting roaming nodes
US20070298788A1 (en) * 2002-10-15 2007-12-27 Corson Mathew S Profile modification for roaming in a communications environment
US7869803B2 (en) 2002-10-15 2011-01-11 Qualcomm Incorporated Profile modification for roaming in a communications environment
US7882346B2 (en) 2002-10-15 2011-02-01 Qualcomm Incorporated Method and apparatus for providing authentication, authorization and accounting to roaming nodes
US8457099B2 (en) 2004-02-06 2013-06-04 Qualcomm Incorporated Methods and apparatus for separating home agent functionality
US8077695B2 (en) 2004-02-06 2011-12-13 Qualcomm Incorporated Methods and apparatus for separating home agent functionality
US20050174984A1 (en) * 2004-02-06 2005-08-11 O'neill Alan Methods and apparatus for separating home agent functionality
US7697501B2 (en) 2004-02-06 2010-04-13 Qualcomm Incorporated Methods and apparatus for separating home agent functionality
US7526295B2 (en) * 2004-03-16 2009-04-28 Broadcom Corporation Integration of secure identification logic into cell phone
US20080051117A1 (en) * 2004-03-16 2008-02-28 Rajendra Khare Integration of secure identification logic into cell phone
US9313784B2 (en) 2005-09-19 2016-04-12 Qualcomm Incorporated State synchronization of access routers
US20070076879A1 (en) * 2005-10-03 2007-04-05 Nokia Corporation System, method and computer program product for authenticating a data agreement between network entities
US7783041B2 (en) * 2005-10-03 2010-08-24 Nokia Corporation System, method and computer program product for authenticating a data agreement between network entities
US7689214B2 (en) * 2005-10-11 2010-03-30 Telefonaktiebolaget Lm Ericsson (Publ) Efficient sharing of mobile equipment identifiers
US20070082669A1 (en) * 2005-10-11 2007-04-12 Telefonaktiebolaget Lm Ericsson (Publ) Efficient sharing of mobile equipment identifiers
US20070153676A1 (en) * 2005-12-30 2007-07-05 Baglin Vincent B Recovery methods for restoring service in a distributed radio access network
US8248916B2 (en) 2005-12-30 2012-08-21 Telefonaktiebolaget Lm Ericsson (Publ) Recovery methods for restoring service in a distributed radio access network
US20080019306A1 (en) * 2006-03-20 2008-01-24 Aleksandar Damnjanovic Apparatus and method for fast access in a wireless communication system
US9674869B2 (en) * 2006-03-20 2017-06-06 Qualcomm Incorporated Apparatus and method for fast access in a wireless communication system
US9112860B2 (en) 2006-10-10 2015-08-18 Qualcomm Incorporated Method and apparatus for mutual authentication
US20080155260A1 (en) * 2006-10-10 2008-06-26 Qualcomm Incorporated Method and apparatus for mutual authentication
US8892887B2 (en) * 2006-10-10 2014-11-18 Qualcomm Incorporated Method and apparatus for mutual authentication
US20100056218A1 (en) * 2006-11-21 2010-03-04 Motorola, Inc. Method and System for Establishing a Call in a Communication Network
WO2008063814A2 (en) * 2006-11-21 2008-05-29 Motorola, Inc. Method and system for establishing a call in a communication network
WO2008063814A3 (en) * 2006-11-21 2008-09-12 Motorola Inc Method and system for establishing a call in a communication network
US7933414B2 (en) * 2006-12-21 2011-04-26 International Business Machines Corporation Secure data distribution
US20080152149A1 (en) * 2006-12-21 2008-06-26 Frederic Bauchot Secure data distribution
US8081568B2 (en) * 2008-02-22 2011-12-20 Cisco Technology, Inc. Role determination for network devices
US20090213733A1 (en) * 2008-02-22 2009-08-27 Padmanabha Nallur Role determination for network devices
US8583081B2 (en) 2009-06-05 2013-11-12 Gemalto Sa Method for calculating a first identifier of a secure element of a mobile terminal according to a second identifier of said secure element
WO2010139780A1 (en) * 2009-06-05 2010-12-09 Gemalto Sa Method for calculating a first identifier of a secure element of a mobile terminal according to a second identifier of said secure element
EP2259545A1 (en) * 2009-06-05 2010-12-08 Gemalto SA Method for calculating a first identifier of a secured element of a mobile terminal from a second identifier of this secured element
US11240218B2 (en) * 2016-04-27 2022-02-01 Huawei Technologies Co., Ltd. Key distribution and authentication method and system, and apparatus
US20180007557A1 (en) * 2016-07-01 2018-01-04 Qualcomm Incorporated Core network connectionless small data transfer
CN109417690A (en) * 2016-07-01 2019-03-01 高通股份有限公司 The connectionless small data transmitting of core net
US10952051B2 (en) * 2016-07-01 2021-03-16 Qualcomm Incorporated Core network connectionless small data transfer
CN109417690B (en) * 2016-07-01 2021-08-24 高通股份有限公司 Connectionless small data transfer in core network

Similar Documents

Publication Publication Date Title
US6225888B1 (en) Authentication between communicating parties in a telecommunications network
EP1168870B1 (en) An improved method for an authentication of a user subscription identity module
CN100454808C (en) Authentication method
US5689563A (en) Method and apparatus for efficient real-time authentication and encryption in a communication system
US7542569B1 (en) Security of data connections
US8122250B2 (en) Authentication in data communication
US5153919A (en) Service provision authentication protocol
JP4185580B2 (en) Method for safely communicating in a communication system
US7120422B2 (en) Method, element and system for securing communication between two parties
JP3530489B2 (en) Method and communication system for encryption of information for wireless transmission and authentication of subscribers
EP0963636B1 (en) Authentication between communicating parties in a telecommunications network
EP0903887A2 (en) Cellular telephony authentication arrangement
US6532290B1 (en) Authentication methods
EP1190526A1 (en) Methods and arrangements for secure linking of entity authentication and ciphering key generation
CA2371365C (en) Integrity protection method for radio network signaling
US7324645B1 (en) Method to authenticate a mobile station, a communications system and a mobile station
EP0898397A2 (en) Method for sending a secure communication in a telecommunications system
KR100320322B1 (en) Improved security in cellular telephones
JPH0759154A (en) Inter-network authentication key generating method
MXPA97010347A (en) Method for mutual authentication for safe supply of services inalambri

Legal Events

Date Code Title Description
AS Assignment

Owner name: NOKIA TELECOMMUNICATIONS OY, FINLAND

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:JUOPPERI, JARI;REEL/FRAME:010102/0557

Effective date: 19990628

STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

FEPP Fee payment procedure

Free format text: PAYER NUMBER DE-ASSIGNED (ORIGINAL EVENT CODE: RMPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

AS Assignment

Owner name: NOKIA SIEMENS NETWORKS OY, FINLAND

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:NOKIA CORPORATION;REEL/FRAME:020837/0726

Effective date: 20070913

FPAY Fee payment

Year of fee payment: 8

FPAY Fee payment

Year of fee payment: 12

AS Assignment

Owner name: NOKIA SOLUTIONS AND NETWORKS OY, FINLAND

Free format text: CHANGE OF NAME;ASSIGNOR:NOKIA SIEMENS NETWORKS OY;REEL/FRAME:034294/0603

Effective date: 20130819